b'June 2005\nReport No. 05-020\n\n\nSystems and Data Conversion for the\nNew Financial Environment\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                         Report No. 05-020\n                                                                                                                June 2005\n\n                                    Systems and Data Conversion for the New Financial\n                                    Environment\n\n                                    Results of Audit\nBackground and\nPurpose of Audit                    The FDIC had developed a general data conversion methodology tailored for the NFE\n                                    implementation at the FDIC that presents considerations common among all data\nThe FDIC Office of Inspector        conversion activities and a brief description of the approach to converting each\nGeneral (OIG) contracted with       application. KPMG had reservations regarding the lack of detailed data conversion,\nKPMG LLP to audit the               validation, and clean-up plans for the asset management, general ledger, vendor,\neffectiveness of the New            purchase order, accounts receivables and cash management functions. KPMG also\nFinancial Environment (NFE)         noted that performance testing proceeded without a detailed plan and did not include\nsystem development data and         critical tests. Lack of detailed plans and sufficient tests increased the likelihood of\nsystems conversion activities.      errors and omissions during the conversion process and limited the FDIC\xe2\x80\x99s ability to\nThe NFE\xe2\x80\x99s Transition Plan and       identify and resolve issues potentially impacting or interrupting NFE operations.\na Data Conversion Approach\nand Plan contained numerous         The audit was terminated during fieldwork to avoid delaying the NFE implementation\ninterdependent tasks for NFE        schedule. KPMG was unable to collect sufficient, competent, and relevant evidence\nsystem deployment. These            in a timely manner, as required by generally accepted government auditing standards,\ntasks included completing user      to provide a reasonable basis for audit conclusions related to the objective. Therefore,\nprocedures for 23 key business      KPMG disclaims from providing any assurances. However, KPMG did suggest that\noperations, ensuring data           its reservations and the associated risks be mitigated.\nintegrity for 35 retiring systems\nand 23 interfacing legacy           Management Response\nsystems, and conducting user\nacceptance testing for the core     The FDIC\xe2\x80\x99s Division of Finance (DOF) responded that the conversion activity\nfinancial system. The               planning and execution, coupled with the active involvement of data owners from the\nTransition Plan defined the         impacted business areas in planning, testing, and validation, provided a high degree of\noverall framework for the           confidence that the conversion of data would result in minimal and manageable\ntransition to the NFE system.       operational disruption and conversion errors. Regarding performance testing, DOF\nThe Data Conversion                 indicated that \xe2\x80\x9ctuning\xe2\x80\x9d of functions has continued following implementation in those\nApproach and Plan presented         few situations where on-line response time or batch throughput was found to need\nthe methodology for data            improvement. DOF expects this process to continue for several months, but no\nconversion activities (legacy       interruptions or delays in service are anticipated.\nsystems and PeopleSoft\napplications). NFE                  Due to the audit being terminated, we cannot confirm or evaluate the adequacy of the\ndeployment was scheduled for        various actions that DOF indicates were taken either in response to KPMG\xe2\x80\x99s\nMay 2, 2005.                        reservations or in the course of planned conversion activities.\n\nThe audit objective was to          NFE Conversion Stages\ndetermine whether the systems\nand data conversion plans and\nactivities were adequate to\nminimize the risk of errors and\nomissions during\nimplementation of the NFE.\n\n\n\n\nTo view the full report, go to\n                                         Source: New Financial Environment Data Conversion Approach and Plan,\nwww.fdicig.gov/2005reports.asp\n                                         Version 1, October 31, 2003\n\x0c                                       Table of Contents\n\n\n\nPart I:\n\n           Report by KPMG LLP\n           Systems and Data Conversion for the New Financial Environment   I-1\n\n\nPart II:\n           Corporation Comments and OIG Evaluation                         II-1\n           Corporation Comments                                            II-2\n\x0c      Part I\n\n\nReport by KPMG LLP\n\x0cSystems and Data Conversion for the New Financial\n                  Environment\n\n               Prepared for the\n      Federal Deposit Insurance Corporation\n          Office of Inspector General\n\x0c                            TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY                                                    3\n\n      Results of Limited Review                                      3\n\nBACKGROUND                                                           4\n\n      NFE System Implementation                                      4\n      NFE Test Strategy                                              5\n      Data and Systems Conversion                                    5\n\nTHE FDIC\xe2\x80\x99S DATA AND SYSTEMS CONVERSION APPROACH                       6\nAND KPMG\xe2\x80\x99S RESERVATIONS\n\n      Data Conversion                                                 6\n      Systems Conversion                                              9\n      Conclusion                                                     10\n\nAPPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY                        11\n\nAPPENDIX B: RISK ASSESSMENT APPROACH                                 14\n\nTABLES\nTable 1: NFE Conversion Development Cycle                            7\nTable 2: Reservations Associated With Data Conversion Activities     8\nTable 3: Reservation Associated With Systems Conversion Activities   9\n\nFIGURE\nRisk Assessment Matrix                                               15\n\n\n\n\n                                      I-2\n\x0cEXECUTIVE SUMMARY\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG)\ncontracted with KPMG LLP to provide professional audit services. KPMG was tasked\nunder the contract to audit the effectiveness of the FDIC\xe2\x80\x99s New Financial Environment\n(NFE) system development data and systems conversion activities. The objective of the\naudit was to determine whether systems and data conversion plans and activities were\nadequate to minimize the risk of errors and omissions during implementation of the NFE.\n\nKPMG was unable to conduct its work in accordance with generally accepted government\nauditing standards. Specifically, KPMG was unable to collect sufficient, competent, and\nrelevant evidence in a timely manner as required by generally accepted government\nauditing standards to provide a reasonable basis for audit conclusions related to the audit\nobjective. In addition, the scope of work performed did not support an opinion regarding\nour objective, the adequacy of internal control, or compliance with applicable regulations\nrelated to NFE systems and data conversion. Further, FDIC management informed us\nthat providing access to the OIG would \xe2\x80\x9cdefinitely impact\xe2\x80\x9d the NFE implementation\nschedule. As a result, the audit was terminated on April 6, 2005, and KPMG disclaims\nfrom providing any assurances with respect to the audit objective. A detailed discussion\nof our audit objective, scope, and methodology is provided in Appendix A of this report.\nThis report provides information on our reservations with regard to the objective based on\nthe limited review that KPMG performed.\n\nKPMG evaluated data and systems conversion activities according to guidelines\nestablished by the National Institute of Standards and Technology (NIST), the Capability\nMaturity Model Integration (CMMI) for systems engineering, and Joint Financial\nManagement Improvement Program (JFMIP) for government financial systems. KPMG\nalso considered relevant guidelines from the Government Accountability Office (GAO)\nand the Office of Management and Budget (OMB) that are related to the implementation\nof the Federal Financial Management Improvement Act (FFMIA) and OMB Circular\nNo. A-127, Financial Management Systems.\n\nResults of Limited Review\nThe FDIC had developed a general data conversion methodology that was tailored for the\nNFE implementation at the FDIC that presents considerations common among all data\nconversion activities (legacy systems and PeopleSoft applications) and a brief description\nof the approach to converting each application. The FDIC also has reported considerable\nprogress in completing most data and systems conversion activities considered critical to\nthe NFE deployment, which occurred on May 2, 2005.\n\nAlthough KPMG cannot express an overall opinion regarding the systems and data\nconversion activities, the limited work performed did identify several reservations related\nto the data conversion process, data validation testing, and data clean-up planning that\n\n\n\n\n                                            I-3\n\x0cwarranted management attention. Additionally, KPMG noted performance test concerns\nin preparation for systems conversion to NFE.\n\nBACKGROUND\n\nOn December 10, 2001, the FDIC\xe2\x80\x99s Board of Directors approved the purchase and\nimplementation of a commercial-off-the-shelf solution to support an enterprise-wide\nfinancial environment for the FDIC. The decision was based on the need to modernize\nthe FDIC\xe2\x80\x99s complex and aging legacy financial systems. In October 2002, the FDIC\ncontracted with Accenture LLP (Accenture) to assist the Corporation in replacing its\nfinancial systems with a PeopleSoft financials solution. This effort, called the New\nFinancial Environment project, is jointly managed by the FDIC\xe2\x80\x99s Division of Finance\n(DOF) and Division of Information Technology (DIT). The current NFE project timeline\nis separated into two phases of deployment. The first phase called for deployment of core\nPeopleSoft financial modules in May 2005. Phase II deployment includes the PeopleSoft\nEnterprise Performance Management suite to assist in FDIC strategic decision-making\nactivities in the areas of Budgeting and Receivership Service Billing by July 1, 2005 and\nActivity Based \xe2\x80\x9cCost\xe2\x80\x9d Management by September 1, 2005.\n\nNFE System Implementation\n\nThe implementation of the NFE system affects many systems throughout the FDIC.\nTherefore, the deployment of the system will, in varying degrees, involve users from each\ndivision and office of the Corporation. The NFE project team has coordinated the\ntransition activities with the business owners. These activities include understanding and\ndocumenting re-engineered business processes and preparing for data conversion.\n\nTo prepare for NFE implementation, Accenture developed a Transition Plan and a Data\nConversion Approach and Plan, which contained numerous interdependent tasks that had\nto be performed for NFE system deployment. Some of these tasks included completing\nuser procedures for the 23 key business operations, ensuring data integrity for 35 retiring\nsystems and 23 interfacing legacy systems, and conducting user acceptance testing for the\ncore financial system. The Transition Plan defined the overall framework for the\ntransition to the NFE. The plan listed the transition activities; stakeholder\nresponsibilities; communication methods for stakeholders; NFE and other FDIC system\ninterfaces; and the management, control, and reporting mechanisms for transition\nprogress. The Data Conversion Approach and Plan presented the methodology for the\nconversion of data from the legacy systems to the PeopleSoft applications. Although this\nplan was general in nature, more detailed design documents for application-specific data\nconversions had been prepared.\n\nThe plan and design documents described above also defined activities for pre-conversion\nand cutover phases of data and systems conversion. Pre-conversion activities included\ntasks prior to and leading up to the conversion, such as determining the scope and\n\n\n\n\n                                            I-4\n\x0capproach or method, developing the conversion plan, performing data clean-up and\nvalidation, ensuring data integrity, and conducting necessary analysis and testing. Cutover\ntasks to convert the legacy data to the new system were to include testing system process\nand data edits; testing system interfaces, both incoming and outgoing; managing the\ncritical path of system implementation; supervising workload completion; and performing\ndata reconciliation.\n\nNFE Test Strategy\n\nThe FDIC had developed a rigorous multi-stage test strategy and schedule for NFE to\nensure that the system will function as designed and meet user\xe2\x80\x99s needs. Key components\nof this test strategy included Systems Integration Testing (SIT) and User Acceptance\nTesting (UAT). Additionally, the FDIC had established independent quality assurance\ntesting for NFE that was performed by the FDIC Configuration and Quality Management\nStaff (CQMS).\n\n\xe2\x80\xa2   SIT ensures that all business functions perform as designed on an end-to-end basis\n    across the NFE applications and platforms. SIT verifies that the application modules\n    interact correctly within PeopleSoft financial modules, including all interfaces that\n    send or receive transactional data to/from the NFE.\n\xe2\x80\xa2   UAT is the final round of NFE testing, and its purpose is to secure the agreement of\n    all business process owners that the PeopleSoft modules, as modified and configured,\n    and the impacted FDIC legacy application interfaces meet the business owners\xe2\x80\x99\n    current, stated business requirements when used in conjunction with processes and\n    procedures developed by the business owners and the NFE business planning team.\n\xe2\x80\xa2   CQMS performed quality assurance test activities over a 3-week period starting on\n    November 1, 2004. The scope of this review, as stated in the CQMS NFE Test Plan\n    dated September 22, 2004, was to verify the effectiveness of the SIT performed\n    against NFE core financial modules and interfaces.\n\nData and Systems Conversion\n\nOf the many critical tasks necessary to successfully implement a new financial system,\ndata conversion is one of the most frequently underestimated. From the outset, it should\nbe understood that financial systems data conversion is a complex and difficult task that\nrequires highly skilled staff for successful completion. If data conversion is done right,\nthe new system has the opportunity for success. However, converting data incorrectly has\nlengthy and long-term repercussions.\n\nData conversion is defined as the automated or manual modification of existing data to\nenable the data to operate with similar functional capability but in a different\nenvironment. Automated conversion is the process of transferring selected transactions\nfrom the legacy system to the new one through the use of an automated tool or custom-\ndeveloped software. The volume of data and difficulty in performing an automated\n\n\n\n\n                                            I-5\n\x0cconversion are examples of factors considered in determining whether to use a manual or\nautomated conversion process. Other specific issues that apply uniquely to the\nreplacement of a financial system include the identification of specific open transactions\nand beginning balances to be established, consideration of data conversion approaches\nand implications, and analysis and reconciliation to validate transactions and data.\n\nSystems conversion relates to activities to prepare a new system for deployment in its\noperational environment, including the planning and tests of system performance as a\nmeans of addressing any performance-related issues that may impact the availability of a\nnew system to its user community.\n\nTHE FDIC\xe2\x80\x99S DATA AND SYSTEMS CONVERSION APPROACH AND KPMG\xe2\x80\x99S\nRESERVATIONS\n\nThe FDIC\xe2\x80\x99s approach in addressing data and systems conversion activities and KPMG\xe2\x80\x99s\nreservations are addressed in the following sections.\n\nData Conversion\n\nThe FDIC had developed a high-level Data Conversion Approach and Plan, initially dated\nOctober 31, 2003, for the NFE implementation at the FDIC. The approach provided\nguiding principles common among all data conversion from legacy systems to PeopleSoft\napplications that included, for example:\n\n\xe2\x80\xa2   determination of what data will be converted based on the \xe2\x80\x9cTo-Be\xe2\x80\x9d processes\n    defined, rather than the \xe2\x80\x9cAs-Is\xe2\x80\x9d legacy data;\n\xe2\x80\xa2   data conversion will be automated when justified (volume, reusability, or cost\n    savings);\n\xe2\x80\xa2   legacy data will undergo data cleansing to reduce data volume and minimize data\n    integrity issues;\n\xe2\x80\xa2   data conversion methods will be tested for their limitations in \xe2\x80\x9cmock\xe2\x80\x9d conversions\n    prior to the actual conversion; and\n\xe2\x80\xa2   converted data will be used in system and user acceptance testing to help identify data\n    conversion and data integrity issues.\n\nAdditionally, as shown in Table 1, the approach identifies major development stages and\nthe objectives for each stage of the conversion process that each major NFE conversion\narea would undergo.\n\n\n\n\n                                            I-6\n\x0cTable 1: NFE Conversion Development Cycle\n\n Assess                       Analyze                       Design                  Build                   Implement\n Identify the legacy          Conduct further analysis      Create translation      Develop conversion      Schedule\n systems data                 into the data types                                   program modules         conversion\n                              identified during the\n                              Assess stage\n Define the requirements      Create data maps &            Create manual           Verify that data        Extract clean legacy\n for historical data          validation rules              conversion              clean-up efforts are    data\n                                                            procedures (if          on schedule\n                                                            applicable)\n Assess the data quality in   Identify specific data        Prepare detailed        Execute test plans      Execute official\n legacy systems               extraction criteria from      design specifications                           conversion\n                              legacy systems\n Determine data volumes       Finalize selection of         Verify that data        Define conversion       Reconcile converted\n                              specific conversion tools     clean-up efforts are    cutover plan            data to legacy data,\n                                                            on schedule                                     and obtain sign-off\n Identify crosswalks          Develop templates and         Develop verification    Execute \xe2\x80\x9cmock\xe2\x80\x9d\n                              standards for the design      and sign-off            conversions and\n                              stage                         procedures              verify\n Identify the best method     Update the work plan, and     Update the work         Resolve problems\n of conversion                revise time estimates         plan, and revise time   with data and/or\n                                                            estimates               conversion\n                                                                                    specifications\n Estimate analysis time,                                                            Update the work\n and prepare an overall                                                             plan, and revise time\n work plan                                                                          estimates\n\n\n\nKPMG noted that the NFE Data Conversion Approach and Plan also provided a brief\ndescription of the approach for converting each application where automated conversions\nand data clean-up were planned for asset management, general ledger, vendor, and\npurchase order functions. KPMG also noted that manual conversions were planned for\naccounts receivable and cash management functions.\n\nNFE Project Management documentation shows that performance of conversion\ndevelopment activities began in October 2003 with the development of an overall\nstrategic development plan, development of design documents from November 2003\nthrough April 2004, and mock conversions from May 2004 through March 2005.\n\nKPMG has summarized its reservations associated with data conversion activities in\nTable 2 on the next page and has assigned a risk ranking based on risk-management-\nassessment criteria defined for the NFE project. See Appendix B for a description of the\nrisk assessment approach.\n\n\n\n\n                                                          I-7\n\x0cTable 2: Reservations Associated With Data Conversion Activities\n                                                                                                               Risks\n                Reservations                                    Potential Impact                        High   Medium   Low\n\n    Data Conversion Process\n    \xe2\x80\xa2 No detailed conversion plan or             \xe2\x80\xa2   Data conversion requirements not adequately\n        approach for major automated                 defined or addressed, increasing likelihood of\n        conversion (AM, GL, PO, and                  errors and omissions.\n                                                                                                         \xe2\x88\x9a\n        Vendor).a\n    \xe2\x80\xa2 No detailed plan or approach for           \xe2\x80\xa2   Risk of errors and omissions increases without\n        manual conversions (Accounts                 appropriately defined, critical pre-data            \xe2\x88\x9a\n        Receivable, Cash Management).                conversion activities.\n    \xe2\x80\xa2   Data conversion detail design            \xe2\x80\xa2   Account balances not traceable to audited\n        documents for most automated                 sources from the legacy systems.\n        conversion areas lack both\n        functional and technical\n        information (e.g., reasons for\n        approaches, references to data                                                                   \xe2\x88\x9a\n        clean-up/ validation approaches,\n        data mapping of source/target\n        fields).\n\n\n    Data Validation Testing\n    \xe2\x80\xa2   No standards or formal planning          \xe2\x80\xa2   Data integrity issues may exist without\n        regarding data validation for most           validation rules defined and implemented.           \xe2\x88\x9a\n        major automated conversion areas.\n    \xe2\x80\xa2   Testing of converted data may not        \xe2\x80\xa2   Without the separation, testers cannot easily\n        be adequately addressed. UATb                identify additional testing efforts required for\n        combines new and converted data              data validation, increasing risks of errors and\n        into the same test script (e.g., focus       omissions (e.g., appears that FDIC incorporated\n        in AM appears to have been on                KPMG validation list suggestions into AM for                \xe2\x88\x9a\n        newly created scripts).                      testing converted assets from April 1 through\n                                                     April 7, 2005).\n\n\n    Data Conversion Results\n    \xe2\x80\xa2   Purchase orders are converted into       \xe2\x80\xa2   Approximately 1,000 out of 5,000 partially paid\n        NFE without supporting detail, and           POs are potentially at risk of duplicate            \xe2\x88\x9a\n        the amount of time to search                 payment.\n        supporting detail from the legacy        \xe2\x80\xa2   Potential inability to pay vouchers in a timely\n        systems, including impact on                 manner may cause the FDIC to be in violation        \xe2\x88\x9a\n        users\xe2\x80\x99 workload is unknown.                  of the Prompt Payment Act.\n        Consequently, users will not be          \xe2\x80\xa2   Having to maintain the legacy systems and the\n        able to determine through NFE                                                                    \xe2\x88\x9a\n                                                     PeopleSoft application may create extreme\n        whether an invoice for a converted           confusion and hardship from both an\n        PO was previously paid.                      operational and technical support perspective.\n\n\n    Data Clean-up\n    \xe2\x80\xa2   No data clean-up plans for major         \xe2\x80\xa2   Errors may be perpetuated in NFE, causing           \xe2\x88\x9a\n        automated conversion areas.                  major post-reconciliation efforts to occur.\na\nAM \xe2\x80\x93 Asset Management, GL \xe2\x80\x93 General Ledger, PO \xe2\x80\x93 Purchase Order.\nb\nUAT \xe2\x80\x93 User Acceptance Testing.\n\n\n\n\n                                                             I-8\n\x0c        Systems Conversion\n\n        FDIC management stated that the NFE performance testing did not follow a typical\n        system development life cycle\xe2\x80\x99s performance test approach. For the NFE, high-level\n        performance measures were needed in the statement of work (SOW) and were used as the\n        basis for performance planning throughout all levels of testing. Specifically, the SOW\n        stated that results are acceptable for:\n\n        \xe2\x80\xa2    5 seconds or less for online transactions on the FDIC\xe2\x80\x99s metropolitan area network and\n             15 seconds or less on the wide area network;\n        \xe2\x80\xa2    2 minutes or less for queries of little complexity;\n        \xe2\x80\xa2    5 minutes or less for queries of moderate complexity; and\n        \xe2\x80\xa2    10 minutes or less for queries of high complexity.\n\n        Additionally, the SOW stated that the estimated range of transaction volume for the NFE\n        is from a low range of 11,896,500 with 25 concurrent users to an estimated high range of\n        21,274,000 with 150 concurrent users during a crisis. According to FDIC management,\n        the criteria were based on the current legacy systems\xe2\x80\x99 performance. The metrics\n        described form the basis for five cycles of performance testing where each is intended to\n        do the following:\n\n        \xe2\x80\xa2    Cycle One \xe2\x80\x93 NFE On-line Stress Test\n        \xe2\x80\xa2    Cycle Two \xe2\x80\x93 Corporate Human Resources Information System, including\n             Supplemental Payments\n        \xe2\x80\xa2    Cycle Three \xe2\x80\x93 Major PeopleSoft Tuning\n        \xe2\x80\xa2    Cycle Four \xe2\x80\x93 Query/Report\n        \xe2\x80\xa2    Cycle Five \xe2\x80\x93 Batch Window Tuning\n\n        KPMG has summarized its reservation associated with systems conversion activities in\n        Table 3 below and has assigned a risk ranking based on risk management assessment\n        criteria defined for the NFE project. See Appendix B for a description of the risk\n        assessment approach.\n\nTable 3: Reservation Associated With Systems Conversion Activities\n                                                                                                       Risks\n                    Reservation                           Potential Impact                      High   Medium   Low\n\n Systems Conversion \xe2\x80\x93 Performance Testing\n \xe2\x80\xa2 System performance testing proceeded   \xe2\x80\xa2 Unpredictable system performance could\n     without a detailed test plan and omitted   seriously impact or interrupt NFE operations.     \xe2\x88\x9a\n     critical tests of performance.\n\n\n\n\n                                                           I-9\n\x0cConclusion\n\nKPMG recognizes that the reservations identified may not be addressed prior to NFE\nscheduled implementation. Also, audit work was not completed due to the scope\nlimitation previously discussed. Therefore, the report contains no recommendations.\nHowever, KPMG suggests that the Directors of DOF and/or DIT and the NFE project\nmanagement team review the risks identified and develop risk mitigation procedures as\noutlined in the NFE risk management plan for addressing the reservations at an\nappropriate time.\n\n\n\n\n                                          I-10\n\x0c            APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of the audit was to determine whether the systems and data conversion\nplans and activities were adequate to minimize the risk of errors and omissions during\nimplementation of the NFE.\n\nScope\n\nThe scope of coverage in meeting the audit objective focused on data and systems\nconversion activities critical to NFE deployment, which included the following:\n\xe2\x80\xa2 Evaluate the effectiveness of NFE data and systems conversion planning and test\n   activities critical to NFE deployment for NFE modules where automated conversions\n   were to take place.\n\xe2\x80\xa2 Focus on performance test issues related to systems conversion activities.\n\xe2\x80\xa2 Evaluate data conversion activities for NFE interfaces to legacy systems for three of\n   eight selected NFE legacy interfaces considered critical to deployment. The interface\n   systems included the Control Totals Module as the primary receivership and\n   subsidiary financial reporting system, Electronic Travel Voucher System, and\n   Dividend Processing System.\n\xe2\x80\xa2 Evaluate effectiveness of \xe2\x80\x9cmock\xe2\x80\x9d data conversions for accuracy and completeness.\n\xe2\x80\xa2 Evaluate effectiveness of system performance tests as an accurate predictor of\n   production performance in identifying any performance problems for corrective action\n   prior to system deployment.\n\nScope Limitation\n\nThe audit of NFE systems and data conversion was terminated on April 6, 2005 before it\nwas completed. As previously stated, KPMG was unable to collect sufficient, competent,\nand relevant evidence in a timely manner as required by generally accepted government\nauditing standards to provide a reasonable basis for audit conclusions related to our\nobjective. More specifically, the scope of audit work performed did not support an\nopinion regarding our objective, the adequacy of internal control, or compliance with\napplicable regulations related to NFE systems and data conversion. In addition, had the\naudit been completed, other matters may have come to our attention concerning the\nadequacy of overall NFE implementation.\n\nBeyond our concerns regarding compliance with auditing standards, our goal was to\ncomplete our audit work and provide management with findings, conclusions, and\nrecommendations, if any, that management could address prior to NFE implementation to\nachieve maximum benefit. However, due to NFE implementation activities, NFE project\nmanagers and team members were often not available to respond in a timely manner to\nour requests for interviews or documentation. In fact, FDIC management informed us\n\n\n\n\n                                           I-11\n\x0c                                                                            APPENDIX A\n\nthat providing access to the OIG would \xe2\x80\x9cdefinitely impact\xe2\x80\x9d the NFE implementation\nschedule. With data conversion activities still in process and NFE implementation\nimminent, we could not obtain sufficient information or perform necessary procedures\nregarding the data conversion activities to achieve our goal or to accomplish our stated\naudit objective.\n\nMethodology\n\nKPMG performed the following work related to the audit objectives before terminating\nthe effort:\n\xe2\x80\xa2 Conducted interviews with DIT and DOF officials who were responsible for\n    managing and implementing the NFE project as well as representatives from\n    Accenture LLP, the consulting firm hired by the FDIC to provide NFE\n    implementation services, including performance of system development test\n    activities. We also spoke with business process leads from several divisions to\n    determine their involvement in data conversion activities such as data reconciliation\n    and to obtain an understanding of NFE conversion activities, including procedures\n    and practices.\n\xe2\x80\xa2 Reviewed NFE system performance, systems conversion, and data conversion\n    documentation.\n\xe2\x80\xa2 Performed data analysis to sample the completeness and accuracy of asset conversion.\n\xe2\x80\xa2 Obtained and reviewed conversion test script and results for AM including review of\n    reconciliation processes applied.\n\xe2\x80\xa2 Obtained a data extract of purchase orders from the Financial Information\n    Management System to perform data analysis to determine conversion volume,\n    feature workload, and risk of duplicate payments.\n\nKPMG also determined the risk levels for the NFE project related to data and systems\nconversion activities where specific risks are likely to occur.\n\nPrior Audit Coverage\n\nThe OIG has issued the following reports related to the NFE:\n\n\xe2\x80\xa2   Audit Report No. 05-019 entitled, FDIC\xe2\x80\x99s New Financial Environment Testing, dated\n    June 6, 2005, which addressed the adequacy of NFE\xe2\x80\x99s test and defect management\n    processes.\n\xe2\x80\xa2   Audit Report No. 05-007 entitled, Management Controls Over the Re-baselined New\n    Financial Environment Project, dated February 18, 2005, which addressed whether\n    the FDIC has established adequate management control over the re-baselined NFE\n    project.\n\n\n\n\n                                           I-12\n\x0c                                                                         APPENDIX A\n\n\xe2\x80\xa2   Audit Report No. 03-045 entitled, New Financial Environment Scope Management\n    Controls, dated September 29, 2003, which addressed whether the FDIC had\n    implemented adequate controls for ensuring that the scope of the NFE project was\n    effectively managed.\n\xe2\x80\xa2   Audit Report No. 03-016 entitled, The New Financial Environment Project Control\n    Framework, dated March 5, 2003, which addressed whether the FDIC had established\n    a control framework for the NFE project.\n\xe2\x80\xa2   Audit Report No. 03-002 entitled, Preaward Review of the New Financial\n    Environment Project, dated October 7, 2002, which provided observations on selected\n    procedures and documents related to the NFE Request for Proposal.\n\xe2\x80\xa2   Evaluation Report No. 01-004 entitled, The New Financial Environment Project,\n    dated December 7, 2001, which assessed the reasonableness of the NFE cost-benefit\n    analysis and the financial systems architecture.\n\nKPMG conducted field work in Washington, D.C., and at the FDIC\xe2\x80\x99s Virginia Square\nfacility from January through March 2005. Based on the scope limitation described\nearlier, KPMG was unable to conduct this audit in accordance with generally accepted\ngovernment auditing standards. Therefore, KPMG disclaims from providing any\nassurances with respect to the objective of the audit.\n\n\n\n\n                                          I-13\n\x0c                  APPENDIX B: RISK ASSESSMENT APPROACH\n\nRisk Ratings\nPer CMMI and industry standard practices, software projects should establish a risk\nmanagement strategy that includes categorization of risks identified to develop a\nmitigation strategy that reduces risks to levels acceptable to management. KPMG\nassessed the potential impact of risks identified in this review based on professional\njudgment and applicable risk management criteria defined for the NFE project by the\nFDIC. The NFE project assesses risks based on probability of occurrence and impact as\nfollows:\n\nProbability\nThe likelihood of risk occurrence is quantitatively or qualitatively rated on the following\nscale:\n       Probability                 Uncertainty Statement                  Evaluation of\n                                                                       Impact (see Impact)\n          > 80%                    Extreme, Almost certain                       5\n        61%-80%                          High, Likely                            4\n        41%-60%                            Medium                                3\n        21%-40%                               Low                                2\n         1%-20%                  Very Low, Highly unlikely                       1\n\nImpact\nImpact is an estimate of the overall scale of the impact following an occurrence of each\nrisk. Impact measures the severity of adverse affects, or the magnitude of a loss, if the\nrisk comes to pass and is rated on the following scale:\n\n       5 - Critical impact; threatens overall success of NFE on a long-term basis.\n       4 - High impact; significant disruption to successful delivery of NFE objectives,\n       products, and benefits.\n       3 - Medium impact; significant disruption to NFE schedule, cost, and products\n       over the medium term.\n       2 - Low impact; progress disrupted with moderate to low extensions to schedule\n       and cost, across short term.\n       1 - Very low impact; slight exposure.\n\nThe two variables, impact and probability, are combined to assess the overall risk\ncategory as displayed in the following matrix.\n\n\n\n\n                                            I-14\n\x0c                                                                                  APPENDIX B\n\nRisk Assessment Matrix\n              Impact\n\n          5 \xe2\x80\x93 Critical\n          4 \xe2\x80\x93 High                                                            3\n\n          3 \xe2\x80\x93 Medium                                   2\n\n          2 \xe2\x80\x93 Low               1\n\n          1 \xe2\x80\x93 Very Low\n                            Very Low  Low     Medium    High    Extreme\n                            0 \xe2\x80\x93 20% 21 \xe2\x80\x93 40% 41 \xe2\x80\x93 60% 61 \xe2\x80\x93 80% 81 \xe2\x80\x93 100%\n                                                 Probability\nSource: The FDIC New Financial Environment Risk Management Plan developed by Accenture.\n\nRisk categorization is based upon factors where specific risks are likely to occur\nincluding technical, operational, external, resource/cost, and schedule. Overall risks\nassigned by KPMG focused on issues impacting the FDIC\xe2\x80\x99s ability to achieve NFE\nobjectives from both a technical and operational nature. These factors, referred to as risk\ndrivers, may impact both Cost and Schedule risks.\n\nEach risk is described further below:\n\nTechnical\nTechnology-based risks consider the non-achievement of the application specifications\nand benefits expected. These risks include new/non-standard platform technology,\nintegration problems with existing systems, migration problems, performance\nexpectations not achieved, environment complexity and functionality, and system\noperability.\n\nOperational\nOperational-based risks focus on the peripheral organizational and business operational\nre-engineering changes arising from the NFE implementation effort. These risks consider\nboth the transitional and the long-term effects of the NFE\xe2\x80\x99s introduction, including the\norganizational and behavioral changes required, the human and physical resource\nplanning, and communication required to facilitate a smooth transition to the new\nstructure.\n\nExternal\nExternal-based risks consider the environmental factors largely outside of the control of\nthe NFE Project Management that can directly or indirectly affect the successful delivery\nof the NFE. Risks arising from legislative regulations, legal requirements, and the\nstrategic direction and priority conflicts of a controlling body are profiled under this\ncategory.\n\n\n\n                                              I-15\n\x0c                                                                            APPENDIX B\n\nResource/Cost\nCost-based risks outline the non-achievement of the financial benefits of NFE. These\ncost risks include additional costs in changing or solving design, application program, or\noperational problems.\n\nSchedule\nSchedule-based risks focus on the non-achievement of the biggest system benefits within\nthe specified time frame. These schedule-based risks arise from extensions as a result of\nscope changes, resource unavailability, and additional schedule extensions for solving the\nrisks as discussed earlier in Resource/Cost.\n\n\n\n\n                                           I-16\n\x0c                Part II\n\nCorporation Comments and OIG Evaluation\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nWe provided the Director, DOF, a draft of this report dated April 22, 2005. The report did not\ncontain a recommendation, and a written response was not required. However, DOF provided a\nwritten response, which is presented in its entirety, beginning on page II-2, and is summarized\nbelow, along with our evaluation of the response.\n\nDOF Response: DOF management responded that it believes that the NFE conversion approach\nwas well planned and well executed. Further, DOF stated that where known data conversion\nweaknesses existed, such as those associated with the purchase order conversion described in our\nreport, manual controls and actions were taken to minimize the risks to the Corporation.\n\nWith respect to NFE performance testing, DOF indicated that \xe2\x80\x9ctuning\xe2\x80\x9d of some functions has\ncontinued during the period immediately following implementation in a few situations where\non-line response time or batch throughput needed improvement. As with any major new\nimplementation, this process is expected to continue for several months, but no interruptions or\ndelays in service are anticipated.\n\nDOF also indicated that since the OIG was completing its field work on NFE testing, the timing\nof the additional audit on NFE systems and data conversion efforts was less than optimal as the\nentire NFE project team was focused on completing the necessary tasks in anticipation of NFE\xe2\x80\x99s\nMay 2, 2005 go-live date. DOF expressed appreciation for our decision to terminate the audit\nand believed it was appropriate under the circumstances.\n\nOIG Evaluation of Response: Due to the audit being terminated, we cannot confirm or\nevaluate the adequacy of the various actions that DOF indicates were taken either in response to\nKPMG\xe2\x80\x99s reservations or in the course of planned conversion activities.\n\nWith regard to the timing of our two NFE-related audits, the FDIC\xe2\x80\x99s concurrent scheduling of\ntwo critical system development activities \xe2\x80\x94 testing and conversion \xe2\x80\x94 made it necessary for the\nOIG to schedule the two audits in a manner that resulted in overlapping timeframes. However,\nas discussed earlier in the report, we terminated this audit when FDIC management informed us\nthat providing access to the OIG would \xe2\x80\x9cdefinitely impact\xe2\x80\x9d the NFE implementation schedule.\nWhile we are pleased that DOF agreed with our decision to terminate the audit, it is important to\nnote that we independently made the decision after carefully assessing the cost/benefit of\ncontinuing the audit, including the impact of the audit on the NFE project team\xe2\x80\x99s ability to meet\nthe NFE go-live date.\n\n\n\n\n                                               II-1\n\x0c\x0cII-3\n\x0c'